b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                Progress Has Been Made in Using the Tivoli\xc2\xae\n                Software Suite, Although Enhancements Are\n                   Needed to Better Distribute Software\n                Updates and Reconcile Computer Inventories\n\n\n\n                                         December 2005\n\n                              Reference Number: 2006-20-021\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-927-7037\n Email Address | Bonnie.Heald@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                   DEPARTMENT OF THE TREASURY\n                                                         WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                December 14, 2005\n\n\n MEMORANDUM FOR CHIEF INFORMATION OFFICER\n\n FROM:                          Michael R. Phillips\n                                Deputy Inspector General for Audit\n\n SUBJECT:                       Final Audit Report \xe2\x80\x93 Progress Has Been Made in Using the Tivoli\xc2\xae\n                                Software Suite, Although Enhancements Are Needed to Better\n                                Distribute Software Updates and Reconcile Computer Inventories\n                                (Audit # 200520003)\n\n This report presents the results of our review of the effectiveness of the Internal Revenue\n Service\xe2\x80\x99s (IRS) Tivoli\xc2\xae1 Enterprise Systems Management function applications. The Tivoli\xc2\xae\n applications provide the IRS with the ability to systemically deliver the most current versions of\n software and updated security patches2 to employees\xe2\x80\x99 computers and to scan the network for\n maintaining accurate computer inventory records. Because the IRS has over 100,000 employees,\n these tasks can be daunting; yet they are very important. Unsuccessful software distributions can\n lead to missing patches on computers, which, in turn, could expose the computers to exploitation\n by hackers, disgruntled employees, and/or malicious programs. In addition, maintaining an\n accurate computer inventory is crucial for the accuracy of the IRS\xe2\x80\x99 financial statements.\n\n Synopsis\n The IRS has shown significant progress in using Tivoli\xc2\xae applications for distributing software\n updates to computers. Much of that progress can be attributed to the IRS\xe2\x80\x99 efforts to improve\n Tivoli\xe2\x80\x99s\xc2\xae ability to connect to more computers. While these improvements are commendable,\n the IRS can take further actions to improve its software distribution success rate, better use\n Tivoli\xc2\xae data for inventory reconciliation and software license management, and increase its\n overall ability to connect to computers.\n\n\n 1\n  Tivoli\xc2\xae is a registered trademark owned by IBM.\n 2\n  A patch is a fix to a program as a result of a design flaw in the program. Patches must be installed or applied to the\n applicable computer to correct the flaw.\n\x0c                     Progress Has Been Made in Using the Tivoli\xc2\xae Software Suite,\n                       Although Enhancements Are Needed to Better Distribute\n                        Software Updates and Reconcile Computer Inventories\n\n\nThe IRS has used Tivoli\xc2\xae to successfully install software updates to 77 percent of its computers,\ncompared to 44 percent about 2 years ago. However, the two most frequent and important types\nof software distributions made (updates to the IRS\xe2\x80\x99 Common Operating Environment3 and\nMicrosoft Windows security patches) were also the most problematic during January through\nMay 2005. The IRS installed only 62 percent of these software distributions successfully. In\nsome instances, the IRS combined multiple updates into single distributions. We believe the size\nof the distributions made installation more difficult. We noted that the IRS lacks guidance on\ndeveloping software distribution packages.\nWe also identified two inventory management issues that could be improved by using the Tivoli\xc2\xae\nsoftware Inventory application. First, Tivoli\xc2\xae produces weekly reports to reconcile its data and\ndata from the IRS\xe2\x80\x99 official computer equipment database, the Information Technology Asset\nManagement System (ITAMS). We found these reconciliation reports identified an average of\nover 8,300 mismatched computers during the period March through May 2005. IRS personnel\nattempted to resolve the mismatched computers but were hampered by the mislabeling of\ncomputer names on the ITAMS. As such, the IRS abandoned these efforts. Because the\nmismatches were not resolved, the IRS\xe2\x80\x99 information technology inventory system likely does not\ninclude all IRS computers.\nSecond, the IRS did not use information from Tivoli\xc2\xae to ensure software installed on computers\ncomplied with license agreements. Tivoli\xc2\xae can aid in this effort through its ability to scan and\nidentify software on every desktop and laptop computer, a process that, if done manually, would\nrequire an enormous effort. Tivoli\xc2\xae software data are not used because the IRS has not outlined\npolicies and procedures regarding software management. By not managing software installations\nand licenses, the IRS could be violating software license agreements by installing more copies of\nsoftware than were purchased, resulting in embarrassment and unnecessary legal fees. For\nexample, Tivoli\xc2\xae data showed that 494 unique computers had proprietary reporting software\ninstalled, but the IRS could document only 142 licenses.\nLastly, the IRS estimates that Tivoli\xc2\xae can now connect to 95 percent of its computers, compared\nto 60 percent about 2 years ago. The ability to connect to more computers can have a direct\neffect on the success of software distributions and the accuracy of inventory management data.\nThe IRS determines the percentage of computers managed by Tivoli\xc2\xae by whether Tivoli\xc2\xae has\nconnected to a computer within 30 days. However, as recent events such as the Sasser worm4\nand other fast-moving computer security outbreaks have shown, the IRS must install critical\nsecurity patches as soon as possible. We believe using a 1-week connectivity criterion is more\n\n\n3\n  The Common Operating Environment is a standardized, configured computer image integrated with a set of\nstandard software packages to support the needs of all IRS employees.\n4\n  The Sasser worm exploited a flaw in the Local Security Authority Subservice System on Microsoft Windows\ncomputers and transferred additional exploitable code to the computers. It also probed for other computers to infect.\nThis worm rendered computers inoperable.\n                                                                                                                    2\n\x0c                 Progress Has Been Made in Using the Tivoli\xc2\xae Software Suite,\n                   Although Enhancements Are Needed to Better Distribute\n                    Software Updates and Reconcile Computer Inventories\n\n\n\nrealistic and appropriate in today\xe2\x80\x99s environment. Using this criterion, we estimate the IRS\ncannot reach 18 percent of its computers (approximately 18,750 computers) in any given week.\nWe identified several reasons why some computers cannot connect to the Tivoli\xc2\xae system or did\nnot have the Tivoli\xc2\xae client software installed. For example, the IRS had not documented\nprocedures for installing and maintaining Tivoli\xc2\xae software on computers, responsible persons did\nnot have access to computers to resolve connection problems, and the IRS may have taken some\ncomputers out of service without notifying employees responsible for maintaining Tivoli\xc2\xae\napplications. By being unable to connect to thousands of computers through the Tivoli\xc2\xae system,\nthe IRS will not be fully benefiting from the use of Tivoli\xc2\xae and will continue to use limited\nresources to manually administer these computers, particularly for installing the latest virus\npatches and inventorying hardware and software.\n\nRecommendations\nTo improve software distributions, we recommended the Chief Information Officer develop\nprocedures that provide formal guidance and standardization in preparing software distributions.\nTo improve the use of Tivoli\xc2\xae software Inventory application data, we recommended the Chief\nInformation Officer require the Associate Chief Information Officer, End User Equipment and\nServices, to resolve mismatches between Tivoli\xc2\xae data and the ITAMS and to ensure all desktops,\nlaptops, and servers comply with the IRS\xe2\x80\x99 computer naming standards. The Chief Information\nOfficer should ensure software management policies and procedures are provided and\nresponsibility for software management is specified. The policies and procedures should require\nthe use of Tivoli\xc2\xae software Inventory application data to monitor compliance with software\nlicenses.\nTo improve Tivoli\xc2\xae computer connectivity, we recommended the Chief Information Officer\nnotify all employees of the need for computers to remain online whenever possible, provide\nemployees assigned Tivoli\xc2\xae responsibilities adequate access to computers, separately account for\nTivoli\xc2\xae computers that are taken out of service for backup or emergency purposes, and assign\nformal responsibility for incorporating computers without the Tivoli\xc2\xae client software into\nTivoli\xc2\xae.\n\nResponse\nIRS management agreed with all of our recommendations. Specifically, the Associate Chief\nInformation Officer, End User Equipment and Services, will develop formal procedures that\nprovide guidance and standardization in the preparation of software distributions; develop\nprocedures to resolve mismatches between Tivoli\xc2\xae data and the ITAMS, ensuring all desktops,\nlaptops, and servers comply with the IRS\xe2\x80\x99 computer naming standards; and develop software\nmanagement policies and procedures that will identify responsibility for software management.\n                                                                                                3\n\x0c                     Progress Has Been Made in Using the Tivoli\xc2\xae Software Suite,\n                       Although Enhancements Are Needed to Better Distribute\n                        Software Updates and Reconcile Computer Inventories\n\n\nThese procedures will require the use of Tivoli\xc2\xae software Inventory application data to monitor\ncompliance with software licenses.\nThe Associate Chief Information Officer, End User Equipment and Services, will also develop a\nplan and procedures to ensure appropriate Enterprise Systems Management function employees\nhave adequate access to computers and networks to resolve computer connectivity issues. The\nplan and procedures will account for modifying the script5 used for installing the Tivoli\xc2\xae\nsoftware client on users\xe2\x80\x99 workstations via the Windows Administration group for the purpose of\nmanaging Tivoli\xc2\xae computers. Second, the plan and/or procedures will also grant access to\nappropriate personnel in the Offices of Appeals, Chief Counsel, and Criminal Investigation for\nmanaging Tivoli\xc2\xae computer connections.\nIn addition, the Associate Information Officer, End User Equipment and Services, will continue\nto notify all IRS employees via Employee Advisories of the need for computers to remain online\nand connected to the IRS network whenever possible; develop appropriate processes and\nprocedures to provide exception reporting when computers are taken offline and brought back\nonline to ensure Tivoli\xc2\xae recognizes them; and develop a process/procedure to identify systems\nthat are not being managed by Tivoli\xc2\xae software so they can either receive the Tivoli\xc2\xae software,\nbecome part of the Tivoli\xc2\xae managed group, or be removed from the network. Management\xe2\x80\x99s\ncomplete response to the draft report is included as Appendix IV.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\n\n\n\n5\n  A script is a short program written in general-purpose programming language to perform certain tasks, including\nthose that are repetitive in nature.\n                                                                                                                    4\n\x0c                         Progress Has Been Made in Using the Tivoli\xc2\xae Software Suite,\n                           Although Enhancements Are Needed to Better Distribute\n                            Software Updates and Reconcile Computer Inventories\n\n\n\n\n                                             Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          While Software Distribution Has Improved, Critical Updates Were\n          Not Always Installed.....................................................................................Page 3\n                      Recommendation 1:........................................................Page 5\n                  \xc2\xae\n          Tivoli Data Are Not Being Used to Manage Computer Inventory\n          and Software Licenses ..................................................................................Page 5\n                      Recommendations 2 and 3: ..............................................Page 8\n\n          Tivoli\xc2\xae Could Improve Software Distribution and Inventory\n          Management by Connecting to More Computers.........................................Page 8\n                      Recommendations 4 and 5: ..............................................Page 10\n\n                      Recommendations 6 and 7: ..............................................Page 11\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 12\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 14\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 15\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 16\n\x0c                      Progress Has Been Made in Using the Tivoli\xc2\xae Software Suite,\n                        Although Enhancements Are Needed to Better Distribute\n                         Software Updates and Reconcile Computer Inventories\n\n\n\n\n                                              Background\n\nThe Internal Revenue Service (IRS) has over 100,000 employees, many of whom use a computer\nto carry out their job responsibilities. To address the challenge of managing and controlling its\ngeographically dispersed computer resources, the IRS implemented the Tivoli\xc2\xae1 software suite.\nThe Tivoli\xc2\xae applications have the potential to improve productivity by systemically delivering\nthe most current versions of software and updated security patches2 to employees\xe2\x80\x99 computers.\nSecurity patches are important in protecting an agency\xe2\x80\x99s computers from viruses and hackers.\nTypically, the software industry self-polices the quality of its products by identifying software\nsecurity vulnerabilities after the product has been on the market. To correct these security\nvulnerabilities, the software vendors issue security patches. However, hackers are also acutely\naware of all security vulnerabilities being identified and will use these vulnerabilities to launch\nattacks and/or create malicious programs to take advantage of these flaws.\nThe importance of installing security patches was best illustrated with a 2004 Federal Bureau of\nInvestigation study,3 which showed that 91 percent of all computer system intrusions could have\nbeen prevented if related security patches had been implemented for countering known\nvulnerabilities. The 2005 E-Crime Watch survey4 found that manual patch management, a\nmethod still commonly used, was rated as the single least effective technology used by\norganizations responding to the survey. Coupled with the fact that the CERT\xc2\xae Coordination\nCenter5 found 3,780 security vulnerabilities were reported during 2004, it is clear that manual\npatching in a large bureau like the IRS would be overwhelming and ineffective.\nBy using the Tivoli\xc2\xae software suite to perform the task of distributing software updates and\nsecurity patches, the IRS can use its limited information technology personnel resources more\nefficiently. The Tivoli\xc2\xae software suite also provides the IRS with the ability to automatically\nscan and collect hardware and software information that can be used to improve the accuracy of\n\n1\n  Tivoli\xc2\xae is a registered trademark owned by IBM.\n2\n  A patch is a fix to a program as a result of a design flaw in the program. Patches must be installed or applied to the\napplicable computer to correct the flaw.\n3\n  The 2004 Computer Crime and Security Survey was conducted by the Computer Security Institute with the\nparticipation of the San Francisco Federal Bureau of Investigation\xe2\x80\x99s Computer Intrusion Squad. The 2004 survey\nresults were based on the responses of 494 computer security practitioners across the United States.\n4\n  This survey was conducted by CSO (Chief Security Officer) magazine in cooperation with the United States Secret\nService and the Carnegie Mellon University Software Engineering Institute\xe2\x80\x99s CERT\xc2\xae Coordination Center. The\nresearch was conducted to unearth electronic crime-fighting trends and techniques, including best practices and\nemerging trends.\n5\n  Established in 1988, the CERT\xc2\xae Coordination Center is a center of Internet security expertise, located at the\nSoftware Engineering Institute, a Federally funded research and development center operated by Carnegie Mellon\nUniversity.\n                                                                                                               Page 1\n\x0c                     Progress Has Been Made in Using the Tivoli\xc2\xae Software Suite,\n                       Although Enhancements Are Needed to Better Distribute\n                        Software Updates and Reconcile Computer Inventories\n\n\n\nthe IRS computer inventory. This inventory is critical because it is used to support IRS financial\nstatements. Use of a manual method would require the IRS computer support staff to physically\nlog onto each computer, creating too great a burden due to the sheer number of computers\nmaintained by the IRS.\nResponsibility for using the Tivoli\xc2\xae software suite lies with the Enterprise Systems Management\n(ESM) function, whose mission is to provide design, development, deployment, and operational\nsupport for the enterprise-wide management of IRS computers. The ESM function is part of the\nEnd User Equipment and Services division of the Information Technology Services organization.\nIn Fiscal Year 2003, we conducted a review of the IRS\xe2\x80\x99 implementation of the Tivoli\xc2\xae software\nsuite,6 identifying several weaknesses in the management control practices that, if not corrected,\ncould reduce the overall effectiveness and actual benefits of the Tivoli\xc2\xae implementation. The\nweaknesses included the absence of policies and guidelines to promote Tivoli\xc2\xae computer\nconnectivity and a lack of staff assigned to resolve Tivoli\xc2\xae computer connectivity and software\ndistribution problems.\nWhile the IRS uses several Tivoli\xc2\xae applications, this review focused on the Tivoli\xc2\xae software\nDistribution and software Inventory applications. In addition, we reviewed the effectiveness of\nIRS efforts to improve Tivoli\xc2\xae computer connectivity, which is critical to the effectiveness of all\nTivoli\xc2\xae applications. This review was performed in the Information Technology Services\norganization at the IRS National Headquarters in Washington, D.C., and the Austin Campus7 in\nAustin, Texas, during the period December 2004 through May 2005. The audit was conducted in\naccordance with Government Auditing Standards. Detailed information on our audit objective,\nscope, and methodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n6\n  The Implementation of Software Products to Manage and Control Computer Resources Needs Improvement\n(Reference Number 2003-20-151, dated July 2003).\n7\n  The data processing arm of the IRS. The campuses process paper and electronic submissions, correct errors, and\nforward data to the Computing Centers for analysis and posting to taxpayer accounts.\n                                                                                                          Page 2\n\x0c                     Progress Has Been Made in Using the Tivoli\xc2\xae Software Suite,\n                       Although Enhancements Are Needed to Better Distribute\n                        Software Updates and Reconcile Computer Inventories\n\n\n\n\n                                      Results of Review\n\nSince our last review in this area, the IRS has used the Tivoli\xc2\xae software suite to improve\nsoftware distribution to its computers, but some critical updates are not being installed. We also\nnoted that the IRS could use Tivoli\xc2\xae data to better manage its computer inventory. The success\nof each of these tasks depends on the ability of the Tivoli\xc2\xae software to connect with computers\nacross the IRS network. We found that the IRS has significantly improved the ability of the\nTivoli\xc2\xae software to connect with computers; however, enhancements can be made.\n\nWhile Software Distribution Has Improved, Critical Updates Were Not\nAlways Installed\nThe IRS has shown significant progress with the Tivoli\xc2\xae software Distribution application since\nour last report. Most notably, the percentage of software distribution packages reaching targeted\ncomputers increased from 44 percent in April 2003 to 77 percent in May 2005.8\nDespite the improvement, the IRS has experienced some problems with certain types of software\ndistributions. From January through May 2005, software updates for the Common Operating\nEnvironment (COE)9 and Microsoft patch updates, which\nwere the two most frequent and important types of               Tivoli\xc2\xae distributions for the\ndistributions made using the Tivoli\xc2\xae software Distribution     COE and Microsoft products\n                                                               were the most problematic,\napplication, were the most problematic. For these 2 types of     having a success rate of\ndistributions, the success rate was 62 percent, as illustrated    62 percent compared to\nin Table 1. Aside from these 2 types of distributions, the        81 percent for all other\nremaining 2,912 distributions during that time period had a             distributions.\nsuccess rate of 81 percent.\n\n\n\n\n8\n  The success rate is a snapshot from the ESM function\xe2\x80\x99s web site, as of May 2005, and represents all software\ndistributions since the ESM function started tracking this information. The 77 percent was derived by dividing\n3,720,342 successful distributions by the 4,808,624 total distribution attempts from July 2003 to May 2005.\n9\n  The COE is a standardized, configured computer image integrated with a set of standard software packages to\nsupport the needs of all IRS employees.\n                                                                                                           Page 3\n\x0c                   Progress Has Been Made in Using the Tivoli\xc2\xae Software Suite,\n                     Although Enhancements Are Needed to Better Distribute\n                      Software Updates and Reconcile Computer Inventories\n\n\n\n                    Table 1: Software Distributions for the COE and\n                   Microsoft Patches From January Through May 2005\n\n                                                                       Number of\n                                Number of           Number             Successful       Success\n        Distribution Type      Distributions       of Targets         Distributions      Rate\n        COE                          533            480,546            259,550           54%\n        Microsoft Patches            915            725,303            484,091           67%\n                     Totals         1,448          1,205,849           743,641           62%\n      Source: Software distribution data from the ESM function.\n\nThe COE distributions are important in maintaining current versions of software used by IRS\nemployees. Microsoft patches are designed to maintain the performance and security of\nWindows-based computers and products. Further analysis of the Microsoft patches identified a\nwide variance in success. While some Microsoft patch distributions were very successful, such\nas one that successfully reached 86 percent of its 70,000 targets, many others reached fewer than\n50 percent of their targets, as shown in Table 2.\n            Table 2: Microsoft Patch Distributions From January Through\n               April 2005 That Were Less Than 50 Percent Successful\n\n              Date of                                                 Number of\n          Microsoft Patch         Number of        Number of          Successful      Success\n           Distribution          Distributions      Targets          Distributions     Rate\n               4/7/2005                27               142               26           18%\n              2/10/2005                11               966              285           30%\n              4/11/2005                19             18,868            6,057          32%\n              4/15/2005                20             37,778            14,853         39%\n              4/19/2005                6              13,353            5,995          45%\n              2/12/2005                44             39,543            18,700         47%\n         Source: Software distribution data from the ESM function.\n\nOversized update packages can cause software distributions to fail. According to ESM function\npersonnel, both Microsoft patches and COE packages often include multiple updates, resulting in\npackages that may be too large to successfully install. For example, the Microsoft patch\npackages listed in Table 2 included multiple updates. The ultimate success of a multiple update\ndistribution is contingent on success for all updates. If one update within the package fails, the\nentire distribution fails.\n\n\n                                                                                                  Page 4\n\x0c                     Progress Has Been Made in Using the Tivoli\xc2\xae Software Suite,\n                       Although Enhancements Are Needed to Better Distribute\n                        Software Updates and Reconcile Computer Inventories\n\n\n\nAlthough the IRS has informal procedures for software distribution, it has not adopted formal\nprocedures. Without documented guidelines, large packages are developed that may not be\ndelivered through the IRS\xe2\x80\x99 network, do not install properly, or incapacitate computers used to\ndistribute the packages.\nIn addition, documented procedures could identify steps\n                                                               One of the reasons for software\nto follow in emergency situations. These procedures are        distribution failures is the overly\ncritical if staff is unavailable to distribute critical      large sizes of the update packages.\nsoftware patches when new viruses emerge. For                This condition stems from the lack\nexample, during the IRS response to the Sasser worm10           of documented procedures to\nin May 2004, existence of formal procedures may have          ensure  packages are consistently\n                                                                   prepared and developed.\naverted an error in the distribution program that resulted\nin the spread of this worm. The Sasser worm penetrated\nthe IRS network and resulted in an estimated $50 million in lost productivity due to the loss of\nconnectivity caused by the worm.\nSoftware distribution to IRS computers is critical to maintain optimal protection of computers\nand taxpayer data and to ensure the continued performance of computer operations.\nUnsuccessful distributions can lead to outdated software that affects productivity and to missing\npatches on computers, which, in turn, could expose the computer to exploit by hackers,\ndisgruntled employees, and/or malicious programs.\n\nRecommendation\nRecommendation 1: The Chief Information Officer should develop formal procedures that\nprovide guidance and standardization in the preparation of software distributions, including the\nbundling of multiple packages and steps for emergency situations.\n         Management\xe2\x80\x99s Response: The Associate Chief Information Officer, End User\n         Equipment and Services, will develop formal procedures that provide guidance and\n         standardization in the preparation of software distributions. This guidance will include\n         the bundling of multiple packages and steps for emergency situations.\n\nTivoli\xc2\xae Data Are Not Being Used to Manage Computer Inventory and\nSoftware Licenses\nAccording to IRS policy, the Chief Information Officer is responsible for ownership,\nmanagement, and control of all computer property in the IRS. The Information Technology\n\n\n10\n  The Sasser worm exploited a flaw in the Local Security Authority Subservice System on Microsoft Windows\ncomputers and transferred additional exploitable code to the computers. It also probed for other computers to infect.\nThis worm rendered computers inoperable.\n                                                                                                             Page 5\n\x0c                  Progress Has Been Made in Using the Tivoli\xc2\xae Software Suite,\n                    Although Enhancements Are Needed to Better Distribute\n                     Software Updates and Reconcile Computer Inventories\n\n\n\nAsset Management System (ITAMS) is used to record all computer inventories. Tivoli\xc2\xae\nprovides excellent information to supplement the ITAMS database. However, information from\nTivoli\xc2\xae on computer equipment inventory and software installed on desktops and laptops has not\nbeen used effectively.\n\nMismatches between Tivoli\xc2\xae computer inventory data and the ITAMS are not\nbeing resolved\nThe Tivoli\xc2\xae software Inventory application provides current inventory data to the IRS\xe2\x80\x99 official\ncomputer equipment inventory database, the ITAMS. On a weekly basis, the Tivoli\xc2\xae software\nInventory application performs an initial reconciliation between its records and inventory\ninformation from the ITAMS and produces reconciliation reports containing mismatched\ncomputer equipment. From March through May 2005, the number of computers that could not\nbe reconciled averaged over 8,300 computers.\nThe End User Equipment and Services division had made               Reconciliation reports\n                                                                                    \xc2\xae\ninitial attempts to resolve the mismatched computer              between the Tivoli software\nequipment. However, these efforts were hampered by the           Inventory application and the\n                                                                 ITAMS showed an average of\nmislabeling of computer names on the ITAMS. Because of\n                                                                    over 8,300 mismatched\nthese difficulties and because responsibility for reconciling             computers.\nthe reports had not been formally assigned, the End User\nEquipment and Services division abandoned its efforts to\nresolve mismatches.\nOur assessment of inventory reconciliation reports from March through May 2005 determined\ncomputers that did not comply with the IRS\xe2\x80\x99 naming standards accounted for 36 percent of the\ncomputers identified by Tivoli\xc2\xae that were not listed on the ITAMS. These mislabeled computers\nmay not contain information necessary to resolve the mismatch, such as location code, machine\ntype, or computer bar code.\nWe also found that the remaining mismatched computers were mainly caused by the inability of\nthe Tivoli\xc2\xae software to successfully connect to computers with and without the Tivoli\xc2\xae software\nclient installed. This issue is discussed later in this report. When the mismatched computers are\nnot resolved, the ITAMS does not include accurate hardware information for all IRS computers.\nAdditionally, incomplete inventory information on IRS computers affects the accuracy of the\nIRS\xe2\x80\x99 financial statements by causing them to have an inaccurate accounting of all IRS computer\nassets. Without an accurate accounting of computer assets, management does not have\ninformation needed to make purchasing decisions for new computer equipment.\n\n\n\n\n                                                                                           Page 6\n\x0c                       Progress Has Been Made in Using the Tivoli\xc2\xae Software Suite,\n                         Although Enhancements Are Needed to Better Distribute\n                          Software Updates and Reconcile Computer Inventories\n\n\n\nTivoli\xc2\xae software inventory data are not used\nThe Tivoli\xc2\xae software Inventory application has the ability to scan the Tivoli\xc2\xae computers to\nidentify information on registered software and unknown\n                                                                               \xc2\xae\napplication files on a frequent, often daily, basis. However,      The Tivoli software Inventory\nthere is no indication these data are used to manage the IRS\xe2\x80\x99        application has the ability to\nsoftware inventory on desktops and laptops. No formal                 identify both registered and\n                                                                        unauthorized software.\nrequests for this information have been received by ESM                  However, there is no\nfunction personnel, other than internal administrative requests.    indication these data are used\nIn addition, there is no capability to search for specific         to manage software inventory.\nsoftware information on the ESM function\xe2\x80\x99s web site.\nWith over 100,000 IRS computers, the resources needed to manage compliance with software\nlicense agreements and identify unauthorized software are immense. The Government\nAccountability Office (GAO) has previously reported on the IRS\xe2\x80\x99 control weaknesses in\nmanaging software licenses and determining compliance with them.11 The Tivoli\xc2\xae software\nInventory application can aid in this effort since it can inventory the software on every desktop\nand laptop, a process that, if done manually, would require an enormous effort.\nHowever, we found the IRS has not provided specific procedures for using the Tivoli\xc2\xae software\nInventory application to monitor compliance with existing software licenses. While the IRS\xe2\x80\x99\nasset management procedures include a title on software management, the section is blank and\nreserved for later use.\nBy not managing software installations and licenses, the IRS may install more copies of the\nsoftware than were purchased. As a result, the IRS could be violating software license\nagreements, which could result in embarrassment and unnecessary legal fees. As an example,\nthe IRS analyzed the use of the Monarch software products12 using data from Tivoli\xc2\xae, the\nITAMS, and other sources. In the analysis, the IRS provided documentation for 142 Monarch\nsoftware licenses. The IRS had also purchased an indeterminate number of licenses for a\nMonarch software product for which documentation did not exist. The Tivoli\xc2\xae data showed that\n494 unique computers had a Monarch product installed. When this information was compared\nagainst the software license data for the Monarch products, the IRS determined the number of\nsoftware installations far exceeded the number of licenses purchased.\n\n\n\n\n11\n     Financial Audit: IRS\xe2\x80\x99s Fiscal Year 2001 and 2000 Financial Statements (GAO-02-414, dated February 2002).\n12\n     Monarch is proprietary software used to create, analyze, and read Collection Activity Reports.\n                                                                                                        Page 7\n\x0c                    Progress Has Been Made in Using the Tivoli\xc2\xae Software Suite,\n                      Although Enhancements Are Needed to Better Distribute\n                       Software Updates and Reconcile Computer Inventories\n\n\n\nRecommendations\nThe Chief Information Officer should:\nRecommendation 2: Require the Associate Chief Information Officer, End User Equipment\nand Services, to resolve mismatches between Tivoli\xc2\xae data and the ITAMS and to ensure all\ndesktops, laptops, and servers comply with the IRS\xe2\x80\x99 computer naming standards.\n        Management\xe2\x80\x99s Response: The Associate Chief Information Officer, End User\n        Equipment and Services, will develop appropriate procedures to resolve mismatches\n        between Tivoli\xc2\xae data and the ITAMS, ensuring all desktops, laptops, and servers comply\n        with the IRS\xe2\x80\x99 computer naming standards.\nRecommendation 3: Ensure software management policies and procedures are provided and\nresponsibility for software management is specified. The policies and procedures should require\nthe use of Tivoli\xc2\xae software Inventory application data to monitor compliance with software\nlicenses.\n        Management\xe2\x80\x99s Response: The Associate Chief Information Officer, End User\n        Equipment and Services, will develop software management policies and procedures.\n        The policies and procedures will identify responsibility for software management and\n        will require the use of Tivoli\xc2\xae software Inventory application data to monitor compliance\n        with software licenses.\n\nTivoli\xc2\xae Could Improve Software Distribution and Inventory\nManagement by Connecting to More Computers\nThe effectiveness of all Tivoli\xc2\xae applications, including those for software distribution and\ninventory management, is dependent on the system\xe2\x80\x99s ability to successfully communicate with\ncomputers on the IRS network. Before the Tivoli\xc2\xae system can connect to an IRS computer, the\nTivoli\xc2\xae client software must be properly installed.13\nThe IRS has significantly improved Tivoli\xe2\x80\x99s\xc2\xae ability to connect to computers since our July 2003\nreport. In that report, we found the IRS had a computer connectivity rate of 60 percent\n(78,925 of 131,488 computers) in April 2003. The IRS estimates it reached an average of\n95 percent (98,545 of 104,147 computers) from January through April 2005. These\nimprovements were largely due to the use of comprehensive Tivoli\xc2\xae procedures established since\nour last review.\n\n\n\n13\n  Tivoli\xc2\xae terminology refers to computer connectivity as \xe2\x80\x9cendpoint health.\xe2\x80\x9d A computer that can communicate with\nthe Tivoli\xc2\xae servers is considered a \xe2\x80\x9chealthy endpoint,\xe2\x80\x9d whereas a computer that had once communicated with the\nTivoli\xc2\xae server but is no longer able to is called an \xe2\x80\x9cunhealthy endpoint.\xe2\x80\x9d\n                                                                                                        Page 8\n\x0c                     Progress Has Been Made in Using the Tivoli\xc2\xae Software Suite,\n                       Although Enhancements Are Needed to Better Distribute\n                        Software Updates and Reconcile Computer Inventories\n\n\n\nWhile this improvement is commendable, we are concerned with the IRS\xe2\x80\x99 ability to quickly\nreach its computers when the need arises. The IRS determines its computer connectivity\npercentage on whether Tivoli\xc2\xae has connected to a\n                                                               We estimate the IRS cannot reach\ncomputer within the last 30 days. However, as recent             18 percent of its computers, or\nevents such as the Sasser worm and other fast-moving            approximately 18,750 computers,\ncomputer security outbreaks have shown, the IRS must                   in any given week.\ninstall critical security patches as soon as possible. As\nsuch, we believe the 30-day criterion is not realistic and\nusing a 1-week connectivity criterion is more appropriate in today\xe2\x80\x99s environment. Factoring in\ncomputers without the Tivoli\xc2\xae client software and our 1-week criterion, we estimate the IRS\ncannot reach 18 percent of its computers, or approximately 18,750 computers, in any given\nweek.\nAside from the change in connection criterion, there are several reasons why some computers\ncannot successfully connect to the Tivoli\xc2\xae system or did not have the Tivoli\xc2\xae client software\ninstalled. The following areas of concern are based on either our analyses of Tivoli\xc2\xae data or\ninterviews with ESM function team members responsible for the Tivoli\xc2\xae applications:\n     \xe2\x80\xa2   The installation and maintenance of the Tivoli\xc2\xae client software were inconsistently\n         performed, mainly due to undocumented procedures. For example, the Tivoli\xc2\xae client\n         software should be installed through a script14 after the COE has been installed.\n         However, different versions of the script are used, or, in some cases, no script is used at\n         all.\n     \xe2\x80\xa2   ESM function employees were not always given adequate access, through the Windows\n         Administration group, to desktop and laptop computers to restore their connectivity. This\n         group was not added as part of the script used to install Tivoli\xc2\xae client software after the\n         COE has been installed. In addition, they did not have access to restricted networks used\n         by several IRS functions, including those used by the Offices of Appeals, Chief Counsel,\n         and Criminal Investigation. Without access to these networks, the team is dependent on\n         these other functions to maintain computer connectivity, which may not be their highest\n         priority.\n     \xe2\x80\xa2   The IRS has computers that were once on the network but have since been taken out of\n         service for long periods of time. These computers include those that are inadvertently\n         turned off and those taken out of service for future backup or emergency use. When\n         ESM function employees are not notified of these computers, the Tivoli\xc2\xae system will\n         continue to show these computers as being in service but will be unable to connect with\n         them.\n\n\n14\n  A script is a short program written in general-purpose programming language to perform certain tasks, including\nthose that are repetitive in nature.\n                                                                                                           Page 9\n\x0c                    Progress Has Been Made in Using the Tivoli\xc2\xae Software Suite,\n                      Although Enhancements Are Needed to Better Distribute\n                       Software Updates and Reconcile Computer Inventories\n\n\n\n     \xe2\x80\xa2   Neither the ESM function nor the End User Equipment and Services division has been\n         formally assigned the responsibility for ensuring all computers are brought into the\n         Tivoli\xc2\xae system, which includes installing the Tivoli\xc2\xae client software on users\xe2\x80\x99 computers.\n         Complicating this effort is the large number of computers that are no longer active on the\n         IRS network. The ESM function program15 used to identify computers without the\n         Tivoli\xc2\xae client software does so by scanning the IRS\xe2\x80\x99 Windows Domain servers but does\n         not distinguish between active and inactive accounts.\nBy being unable to connect to thousands of computers through the Tivoli\xc2\xae system, the IRS will\ncontinue to rely on limited staffing to manually administer these computers, particularly for\ninstalling the latest security patches and inventorying hardware and software. Consequently, the\nrisk of one or more of these computers being vulnerable to viruses, worms, and other attacks\nremains high. Also, the IRS could understate its financial statements by being unable to verify\nits inventory of computer systems through Tivoli\xc2\xae software Inventory application scans.\n\nRecommendations\nThe Chief Information Officer should:\nRecommendation 4: Ensure appropriate ESM function employees have adequate access to\ncomputers and networks to resolve computer connectivity problems. First, the script used for\ninstalling the Tivoli\xc2\xae software client on users\xe2\x80\x99 computers should be modified to allow access by\nESM function employees via the Windows Administration group to manage Tivoli\xc2\xae computers.\nSecond, access to restricted networks, such as those in the Offices of Appeals, Chief Counsel,\nand Criminal Investigation, should be granted to personnel responsible for managing Tivoli\xc2\xae\ncomputer connections.\n         Management\xe2\x80\x99s Response: The Associate Chief Information Officer, End User\n         Equipment and Services, will develop a plan and procedures to ensure appropriate ESM\n         function employees have adequate access to computers and networks to resolve computer\n         connectivity issues. The plan and procedures will also account for modifying the script\n         used for installing the Tivoli\xc2\xae software client on users\xe2\x80\x99 workstations via the Windows\n         Administration group for the purpose of managing Tivoli\xc2\xae computers. Second, the plan\n         and/or procedures will also grant access to appropriate personnel in the Offices of\n         Appeals, Chief Counsel, and Criminal Investigation for managing Tivoli\xc2\xae computer\n         connections.\nRecommendation 5: Notify all IRS employees of the need for computers to remain online\nand connected to the IRS network whenever possible so Tivoli\xc2\xae can communicate with them and\nperform management functions.\n\n15\n  ESM function personnel developed the E-Touch program to supplement data from Tivoli\xc2\xae and assist in\nidentifying computers without the Tivoli\xc2\xae client software.\n                                                                                                       Page 10\n\x0c                 Progress Has Been Made in Using the Tivoli\xc2\xae Software Suite,\n                   Although Enhancements Are Needed to Better Distribute\n                    Software Updates and Reconcile Computer Inventories\n\n\n\n       Management\xe2\x80\x99s Response: The Associate Chief Information Officer, End User\n       Equipment and Services, will continue to notify all IRS employees via Employee\n       Advisories of the need for computers to remain online and connected to the IRS network\n       whenever possible.\nRecommendation 6: Separately account for Tivoli\xc2\xae computers that are taken out of service\nfor backup or emergency purposes. When these computers are brought back online, Tivoli\xc2\xae\nshould recognize them as active.\n       Management\xe2\x80\x99s Response: The Associate Chief Information Officer, End User\n       Equipment and Services, will develop appropriate processes and procedures to provide\n       exception reporting when computers are taken offline and brought back online to ensure\n       Tivoli\xc2\xae recognizes them.\nRecommendation 7: Assign formal responsibility for using data available from the ITAMS\nor other sources to identify active computers on the IRS network that do not have the Tivoli\xc2\xae\nclient software installed and for ensuring those computers have the Tivoli\xc2\xae software and can\nsuccessfully connect with the Tivoli\xc2\xae system.\n       Management\xe2\x80\x99s Response: The Associate Chief Information Officer, End User\n       Equipment and Services, will develop a process/procedure to identify systems that are not\n       being managed by Tivoli\xc2\xae software so they can either receive the Tivoli\xc2\xae software,\n       become part of the Tivoli\xc2\xae managed group, or be removed from the network.\n\n\n\n\n                                                                                        Page 11\n\x0c                      Progress Has Been Made in Using the Tivoli\xc2\xae Software Suite,\n                        Although Enhancements Are Needed to Better Distribute\n                         Software Updates and Reconcile Computer Inventories\n\n\n\n                                                                                                     Appendix I\n\n          Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to assess the effectiveness of the Internal Revenue\nService\xe2\x80\x99s (IRS) Tivoli\xc2\xae1 Enterprise Systems Management (ESM) function applications. While\nthe IRS has several Tivoli\xc2\xae applications, this review focused on the Tivoli\xc2\xae software Distribution\nand software Inventory applications. In addition, we reviewed the effectiveness of the IRS\xe2\x80\x99\nefforts to improve Tivoli\xc2\xae computer connectivity, which is critical to the effectiveness of all\nTivoli\xc2\xae applications. To accomplish this objective, we:\nI.       Determined whether computer connectivity was adequately managed.\n         A. Identified policies, procedures, and standards for managing Tivoli\xc2\xae computer\n            connections.\n         B. Assessed the process for managing computer connectivity. We extracted computer\n            connection data from the ESM function\xe2\x80\x99s web site for each week from January 19 to\n            April 28, 2005. These data included information on all IRS Tivoli\xc2\xae-enabled\n            computers (the highest total being 105,424 during the time period) and E-touch\n            systems2 (the highest total being 10,845 during the time period).\n         C. Identified factors limiting the success of Tivoli\xc2\xae computer connectivity, including\n            interviewing all seven Tivoli\xc2\xae team members and identifying trends from Tivoli\xc2\xae data\n            obtained.\nII.      Assessed the effectiveness of patch3 management and software updates using the Tivoli\xc2\xae\n         software Distribution application.\n         A. Identified policies, procedures, and standards for patch management and software\n            updates.\n         B. Assessed the process for patch management and software update using Tivoli\xc2\xae.\n         C. Assessed the impact of incomplete patching and incomplete software updates of IRS\n            computers. We obtained a detailed summary of all IRS enterprise-wide software\n            distributions for Calendar Year 2005. This included data for all 4,360 distributions\n\n\n1\n  Tivoli\xc2\xae is a registered trademark owned by IBM.\n2\n  The E-Touch program is a supplemental program developed by ESM function personnel to assist in identifying\ncomputers in the IRS\xe2\x80\x99 architecture, particularly those outside of the Tivoli\xc2\xae environment.\n3\n  A patch is a fix to a program as a result of a design flaw in the program. Patches must be installed or applied to the\napplicable computer to correct the flaw.\n                                                                                                              Page 12\n\x0c                 Progress Has Been Made in Using the Tivoli\xc2\xae Software Suite,\n                   Although Enhancements Are Needed to Better Distribute\n                    Software Updates and Reconcile Computer Inventories\n\n\n\n          made through May 6, 2005. These data included the package type, size, and date of\n          distribution.\n       D. Identified factors limiting the success of patch management and software updates\n          using Tivoli\xc2\xae.\nIII.   Assessed the effectiveness of inventorying software and hardware using the Tivoli\xc2\xae\n       software Inventory application.\n       A. Identified policies, procedures, and standards for inventorying hardware and software.\n       B. Assessed the process for inventorying software and hardware.\n       C. Assessed the impact of inadequate management of hardware and software inventory.\n          We reviewed all nine available weekly Tivoli\xc2\xae/Information Technology Asset\n          Management System (ITAMS) reconciliation reports available on the ESM function\xe2\x80\x99s\n          web site from March through May 2005. These reports provide details on computers\n          managed by Tivoli\xc2\xae but not found on the ITAMS and vice versa.\n       D. Identified factors limiting the success of software and hardware inventory.\nIV.    Assessed the effectiveness of managing software licenses using the Tivoli\xc2\xae software\n       Inventory application.\n       A. Identified policies, procedures, and standards for managing software licenses.\n       B. Assessed the process for managing software licenses.\n       C. Assessed the impact of inadequate management of software licenses.\n       D. Identified factors limiting the success of software license management.\n\n\n\n\n                                                                                           Page 13\n\x0c                 Progress Has Been Made in Using the Tivoli\xc2\xae Software Suite,\n                   Although Enhancements Are Needed to Better Distribute\n                    Software Updates and Reconcile Computer Inventories\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nStephen Mullins, Director\nKent Sagara, Audit Manager\nMyron L. Gulley, Senior Auditor\nMichael A. Howard, Senior Auditor\nJimmie Johnson, Senior Auditor\nAnthony D. Knox, Senior Auditor\n\n\n\n\n                                                                                     Page 14\n\x0c                Progress Has Been Made in Using the Tivoli\xc2\xae Software Suite,\n                  Although Enhancements Are Needed to Better Distribute\n                   Software Updates and Reconcile Computer Inventories\n\n\n\n                                                                          Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nAssociate Chief Information Officer, End User Equipment and Services OS:CIO:I:EU\nAssociate Chief Information Officer, Enterprise Networks OS:CIO:I:EN\nAssociate Chief Information Officer, Enterprise Operations Services OS:CIO:I:EO\nDirector, Enterprise Systems Management OS:CIO:I:EU:ESM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Management Controls OS:CFO:AR:M\nAudit Liaison: Chief Information Officer OS:CIO\n\n\n\n\n                                                                                   Page 15\n\x0c    Progress Has Been Made in Using the Tivoli\xc2\xae Software Suite,\n      Although Enhancements Are Needed to Better Distribute\n       Software Updates and Reconcile Computer Inventories\n\n\n\n                                                    Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                           Page 16\n\x0cProgress Has Been Made in Using the Tivoli\xc2\xae Software Suite,\n  Although Enhancements Are Needed to Better Distribute\n   Software Updates and Reconcile Computer Inventories\n\n\n\n\n                                                       Page 17\n\x0cProgress Has Been Made in Using the Tivoli\xc2\xae Software Suite,\n  Although Enhancements Are Needed to Better Distribute\n   Software Updates and Reconcile Computer Inventories\n\n\n\n\n                                                       Page 18\n\x0cProgress Has Been Made in Using the Tivoli\xc2\xae Software Suite,\n  Although Enhancements Are Needed to Better Distribute\n   Software Updates and Reconcile Computer Inventories\n\n\n\n\n                                                       Page 19\n\x0cProgress Has Been Made in Using the Tivoli\xc2\xae Software Suite,\n  Although Enhancements Are Needed to Better Distribute\n   Software Updates and Reconcile Computer Inventories\n\n\n\n\n                                                       Page 20\n\x0cProgress Has Been Made in Using the Tivoli\xc2\xae Software Suite,\n  Although Enhancements Are Needed to Better Distribute\n   Software Updates and Reconcile Computer Inventories\n\n\n\n\n                                                       Page 21\n\x0c'